Thank you for this quick feedback.
On 15/09/16 09:04 PM, d...@deadhat.com wrote:
Hi!
A true random number generation strategy is no better than its
trustworthiness. Here is a suggestion for a simple scheme which rests on
a common digital electronic design.
[...]
Unavoidable current noise source:
- thermal noise
- excess current noise caused by the above resistor material
construction
Noise sources to be reduced (as a matter of sampling approach coherency)
- electrostatic ...
- electromagnetic ...
Any thoughts?
Yes.
A) Can you build 100,000,000 and expect them all to work?
No. The stated goal is to provide some scheme that a few wise guys may
trust. So, building 20 units and having you as a satisfied user would be
a more realistic goal. Microsoft and Apple seem to be trusted by the crowd.
B) Can you expect the those 100,000,000 resistors to behave in a
consistent manner or will the supplier switch compounds on you while you
aren't looking. If you try and buy a paper-oil cap today, you'll get a
poly pretending to be paper-oil. I assume it's the same for obsolete
resistor compounds.
This brings the question of characterization of cheap material procured
from the mass market channels. Obviously it is part of the detailed
crafting process.
Realistically, one would be able to avoid the trouble here, e.g. by
buying a few rolls of 5000 resistors from a few manufacturers.
C) What are the EM injection opportunities to measured noise? Can you
saturate the inputs?
Also part of the implementation details to watch. This small circuit may
be located in a Faraday cage. Hopefully its internals will remain tamper
evident for a very paranoiac user.
About input saturation, the expected result of experimentation (with
analysis) is some confidence that current noise is the main source of
data fluctuation (I do not state which statistic to apply here for "data
fluctuation"), and then EM could hardly induce the relevant resistor
currents without e.g. a large coil within a short distance. Admittedly,
this is not a definitive answer for a very paranoiac user.
Do you have a scheme overall immune to EM injection opportunities? Is
the complexity of this scheme such that every external influence
opportunities may be ruled out?
D) How are you planning to characterize the min entropy of the source? We
know the min entropy of well defined Gaussian noise, but what about shot,
1/f and all the other weird distributions?
D_a) Can you distinguish that noise from system noise that might be
systematic rather than entropic.
Two aspects: entropy and the inherently compound measurement of multiple
(and little understood) noise source ("noise from system" might be
rather vague for a physicist).
About compound measurement, careful crafting of the wheatstone bridge
(and its excitation voltage source) is expected to provide some
assurance that current noise (thermal noise and excess current noise
from resistor material properties) is the foremost contributor to data
fluctuations.
Min entropy characterization: no definite plan. The raw 24 bits samples
will be available for attempts at distribution characterization. I
suspect however that a paranoiac user will fear that after gigabytes of
data fed to the characterization process, the source might suddenly turn
low entropy when the data is switched to the cryptographic random secret
generation process.
E) Do you have an extractor algorithm in mind that is proven to work at
the lower bound for the min entropy you expect from the source?
I might have ideas in this area of concern but "proven extractor
algorithm" is something orthogonal to the source: a proven algo would
have its proof for a given "min entropy" abstract concept.
F) Are you wanting computational prediction bounds at the output of the
extractor or do you want H_inf(X) = 1.
F_1) If you want the entropy answer, then you need to consider multiple
input extractors.
F_2) Oh, and quantum-safe extractors are a thing now.
These questions, which I do not understand fully, would be orthogonal to
the source.
G) Are any certifications required. In my experience P(Y) -> 1 as t ->
infinity. Projects who swore up and down that they weren't doing FIPS
would come back 2 years later, with a finished chip and ask "Can this be
FIPS certified", after a customer made their requirements clear.
This question need not be addressed now ( P(Y) unknown as t=0! ).
That's my usual list of questions. They may or may not apply to your
situation.
Thanks for sharing this.
- Thierry Moreau
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
